I need your kind guidance & pointer from you for my query. Based on review of ISO 9004:200X, I am planning to revise the Internal Audit strategy & want to link the Audit Observations (NCR’s) to Business Risks. I have derived two method (algorithm), one based on FMEA tool & anothre referring the Risk levels specified in OHSAS 18001, but I feel it is generic, I am looking for any other method. Can you please help me out in this?.

Do I need to derive Risk definition / algorithm OR a kind of Audit Checklist / Risk Assessment, separately for each type of Audit i.e. S/w Production Process Audit, Product Audit (at various stages of S/w Development), System Audit, Support Processes Audit, Unit Audit, Corporate Audit etc. If so, can you please provide some pointers?

I have initiated actions towards this & identified Risk categories also, but want to know whether I am on the Track. I am very clear that we are not assessing Maturity Level, but want to use Audit as a tool to identify Risk to demonstrate ROI on the $ amount Investment for Audit (Auditor / Auditee man-hours cost, audit co-coordinating cost).

You want to use the audit to identify risk? Do whatever would work best for you to suit your need.

Keep it simple

Keep it usable

Keep it understandable

If you don't you might create more risk.

I need your kind guidance & pointer from you for my query. Based on review of ISO 9004:200X, I am planning to revise the Internal Audit strategy & want to link the Audit Observations (NCR’s) to Business Risks. I have derived two method (algorithm), one based on FMEA tool & anothre referring the Risk levels specified in OHSAS 18001, but I feel it is generic, I am looking for any other method. Can you please help me out in this?.

Do I need to derive Risk definition / algorithm OR a kind of Audit Checklist / Risk Assessment, separately for each type of Audit i.e. S/w Production Process Audit, Product Audit (at various stages of S/w Development), System Audit, Support Processes Audit, Unit Audit, Corporate Audit etc. If so, can you please provide some pointers?

I have initiated actions towards this & identified Risk categories also, but want to know whether I am on the Track. I am very clear that we are not assessing Maturity Level, but want to use Audit as a tool to identify Risk to demonstrate ROI on the $ amount Investment for Audit (Auditor / Auditee man-hours cost, audit co-coordinating cost).


Not sure what 'business risk' you have in mind. As ISO is only concerned with part of the overall business, making use of audit for this purpose can at best address only part of the problem.

I've come across firms carrying out such an exercise before and it was carried out by people who are trained to look at the overall aspect of the business and competent to audit the various aspects (not just quality).

Nevertheless, an interesting idea.

Almost any initiative which would improve the effectiveness and benefit of internal audits is going to be welcome and bear in mind Randy's advice to keep things simple and useable.

I evaluate risk in two areas.

Firstly when planning the audit programme I look at the perceived risks each process may bring to the business/customer and the actual risks as shown by customer feedback. I use that to determine audit frequency & scope, prepare the audit checklists (I don't like that term though and just use them as reminders) and to determine which auditor to allocate.

Secondly I evaluate the risk associated with any findings to determine whether they should be classed as non-conformities (action required), observations (there must be a better way of doing things) or trivia (not recorded).

There's nothing sophisticated in the approach, no numerical values associated with the risk. I always look at records associated with the process and could look at PFMEAs if I wished but a lot of it comes from a knowledge of the processes and gut feeling. If you or others can suggest a more sophisticated approach that won't get me bogged down in too much pointless analysis it will be interesting.

I don't feel any need to justify the costs associated with audits but perhaps that's just arrogance on my part.

I want to clarify on "Business Risk", it is Risk to functioning of the Business. it could be either in terms of loss of Project, loss of Customer, Customer dissatisfaction, can hamper Customer Project , Revenue loss, affect Brand Image etc. which might arise from loop-holes in Strategy Planning or Operations or Tracking or evaluation.

My question is, how to quantify or give judgement whether the Process / Department ( area getting audited) carries Risk or not.

Further, when I tried to apply the ranking criteria to the Audit NCR’s, I was not really able to find exact risk in a particular Project / Process / Unit. This is because Audit is done on sampling, so if number of NCR’s are few or Nil in a particular area getting audited, we may not able to assess the exact Risk.

I was thinking of developing Risk Assessment Questionnaire linked with Audit Checklist for each Area getting audited, but now have a query that, whether I have to develop a separate Questionnaire for each Area viz. for assessing Risk of while auditing Materials Dept., if only Incoming Inspection is audited, will require specific Questionnaire for it OR assessing Development Projects at Project Level Risk, it may require to have different Questionnaire for each Project considering the Stage of Development & also type of Development.

Can you please throw some light on this ?

As Randy said, keep it simple, steer clear from all sorts of checklists & questionnaire (especially written with capitals) unless it's an absolute necessity.

I think I understand what you are aiming at, and perhaps this might help:


Business risks are always related to objectives of the company. If there's no objective on a subject, no "unwanted event" (hazard in EH&S terms) can occur.
Business processes (including quality management) are in place to manage business risks.
Auditing business processes means you are auditing the (organizational) control mechanisms in place to manage business risks.


So if you want to link audits and risks, IMHO what you need to do is:

Get a clear picture of objectives
Describe the applicable "unwanted scenario's" for those objectives
Describe the control mechanisms (in this case business processes) in place to manage those risks
Audit the control mechanisms, which should give an idea on how well the relevant risks are managed


And finally to get all of the lingo right, risk is a tricky word (and actually not always correctly used in my post above). Risks (=probability*effect) always are related to something you do not want to happen: the hazard. The risk says something about the chance this hazard will occur, and if it does, what effects it will have. Risks can be lowered by introducing control mechanisms like forms, procedures, audits (!), etc. by eitherwise reducing the effect if the hazard does occur (insurance for example), or reducing the probability that the hazard will occur (quality control for example). Tweaking probability and effect to keep risks (of unwanted events related to company goals) at an acceptable level is the key idea of risk management.

Hope this helps. I believe this approach is the way for the future of quality management since it makes sense and fits in perfectly with (the less abstract) ISO 14001 & OHSAS 18001. Keep working on this approach, it's a winner IMHO, but please please please keep it very very simple.

Martijn